This morning I am addressing a fairly typical problem that landed on my desk last Friday. I probably won’t be able to share a lot of the details, but you, constant reader, may benefit from knowing the contours of this particular problem.
Today’s Problem:
Last Friday an associate introduced me to a new person. They had been contacted by email and based on just a couple screen shots there were three possible explanations:
Some sort of domestic U.S. corporate/political fuckery afoot.
Foreign intel up to something too murky to easily describe.
Extortion ring doing an extortion.
I started looking at infrastructure involved and found this. Top is a legitimate company, bottom is a domain squat made to look like them. This showed the company was uninvolved, eliminating the first possible explanation.
So the problem is some sort of intel thing OR it’s fairly sophisticated grifting. Can’t say the name, but this is what I see with their hosting. The victim and perpetrator domains are both using Google Workspace. This all screams super low budget, except for the dedicated Google Analytics account. They are using this to capture information about who may have taken the bait.
I called the phone number for the company and found a “nobody really calls us” presence behind the number. I went through the company’s employee list, sending a LinkedIn connect request to half a dozen executives with whom I share connections. Then I posted this in the open:
Here’s an example of the connection request:
Given what’s going on there is some possibility that the operators of the spoof have a foothold in the legitimate company’s network. If they start yapping about the problem via email and that gets noticed, they could find themselves dealing with a ransomware problem on top of the issue they already face.
Our Exercise:
What does this mean in terms of The Online Operations Kill Chain?
The kill chain is for broad influence ops while this is very focused. Even so, the bad actors, in this order:
Gathered information on targets.
Planned a complex attack.
Acquired & disguised assets.
Are trying to evade detection.
Selected key targets to engage.
May have compromised the legit company’s systems along the way.
So it’s not precisely what we intended to do this quarter, but its’ definitely in the ballpark.
Conclusion:
There are a number of key takeaway from this experience.
The individual who reported this had a theory of what was happening based on their personal history, specifically a previous attack they weathered. This was a possible fit for what had happened. But it was not correct.
Uncovering the reality required cross domain expertise, specifically an application of Maltego, BuiltWith, and RiskIQ to determine that the legitimate company was being spoofed. Without that portion of the examination we’d have gone off pursuing the initial theory and that could have played right into the attacker’s hands.
Escalating the problem to the point where the company being spoofed begins their incident response has not yet happened. This is a touchy business, I’m attempting to make contact without tipping the bad guys, but if the first person I reach decides to ignore the requirement to CALL on this and instead sends an email or some other computer based communications, that could be the beginning of a catastrophe.
Here are some negative events that could still happen even now.
Company gets ransomware and is down for some time.
Ransomware is pernicious enough that they simply can’t recover.
Bad actor has extracted much data from them already, darknet markets get it.
Reputation damage from a leak could well destroy the company.
Compromised employee systems permit persistent access after response.
I could probably double that list, but it’s early and I’m not actually awake yet. I’ve been looking at their employees and I’m starting to wonder if the pandemic didn’t send them all home to work, and they just decided to abandon office hours completely. There are several ways to get their attention IRL, but I’m hoping I’ll just get a new Signal contact between now (2023-11-13-0846) and lunch time.
So there you have it. Operators are standing by. The career you save may be your own.
Tangentially connected individual got back to me at at 1218. I had other stuff going on, didn't notice until 1506. So this is gonna slide into business hours Tuesday before it gets attention. Can you say "nerve wracking"? Yeah, I imagine anyone reading this Substack has that down pat.